Speakers
Synopsis
Maturity assessments are typically used to gauge the cyber security practices of an organisation. This is translated to a score that is meant to represent the maturity of cyber security practices of that organisation. However, is it a good measure of the effectiveness of cyber security controls and processes in an organisation?
In this talk, I discuss what the limitations are in relying on typical maturity assessment approaches and use of maturity scores as a measure of effectiveness. Instead, I present an alternate approach in using gap identification to measure cyber security effectiveness. I will demonstrate how practitioners can create control effectiveness assessments or modify maturity assessments into control effectiveness assessments to identify gaps in controls design and operating effectiveness. Lastly, I will walk through how control effectiveness ratings can be used to generate maturity assessment scores when needed.
This talk is aimed at InfoSec leaders and governance, risk and compliance specialists building or reconsidering how they run their cyber security controls maturity assessments.
